• Developers
  • Reporting
  • Disputes
  • Contact us
  • Log in

Main Navigation

  • Account

      Account

        • Customer docs & pricing

          Find important documents such as our Terms of Service and Merchant Operating Instructions, as well as more information on things like Stored Credential Transactions and the Account Updater Service

        • Compliance & security

          For more information on Strong Customer Authentication, PCI Compliance, and fraud prevention best practices

        • Stationery ordering

          Order your tally rolls, card scheme logo stickers, and more

        • FAQs

          Our FAQs can help you with queries including pricing changes, cleaning and restarting your terminals, and Multi-Factor Authentication

  • Products

      Products

        • POS help
        • Ecommerce help
        • Bank Payment
  • Insights
  • Trending Articles
Sign up
Search

Main Navigation

  • Account
      Account

      Account

    • Customer docs & pricing
    • Compliance & security
    • Stationery ordering
    • FAQs
  • Products
      Products

      Products

    • POS help
    • Ecommerce help
    • Bank Payment
  • Insights
  • Trending Articles
    • Developers
    • Reporting
    • Disputes
    • Contact us
    • Log in
    Sign up /en-gb/sitecore/content/gpn/corporate/corporate/home/modals/signup-homepage

Sidebar Navigation

  • Account -
    • FAQs +
      • Pricing frequently asked questions +
      • PCI Frequently asked questions +
      • Best practice for cleaning your POS device(s) +
      • Terminal restart guide +
      • CNP FAQs - resubmitting declined transactions +
      • Multi-Factor Authentication for Global Payments Ecommerce Portal +
      • Ecommerce FAQs +
      • Bank Payment FAQs +
      • Your invoice explained +
      • How do I make a complaint +
    • Customer Docs & Pricing +
      • Terms of Service +
      • Merchant Operating Instructions +
      • Interchange fee update +
      • Recovered card form +
      • Mastercard and Visa Interchange rates +
      • Merchant Data Processing Notice +
      • Enhanced Authorisation Data Service merchant implementation guide +
      • Stored Credential Guide +
      • SCT Technical Implementation Guide +
      • SCT Decision Tree +
      • Account Updater Service +
      • Account Updater migration to UK Ensurebill +
    • Compliance & Security -
      • Ecommerce fraud management +
      • Know the risks +
      • Online Card Not Present Best Practices +
      • Fraud Hints and Tips Guide +
      • Reducing Risk of Fraud Guide +
      • Guide to Patching +
      • Know the risks +
      • What To Do If You're Compromised +
      • PCI Frequently asked questions +
      • SCA -
        • One-off payments without saving card details
        • One-click payments without saving card details
        • Card saved for recurring, automatic payments
        • Payment over the phone (MO/TO)
        • What Do I Need to Do to Be SCA Compliant?
        • PSD2 and SCA Technical Information Guide
        • Strong Customer Authentication Decision Tree
        • How to use the Strong Customer Authentication (SCA) Authentication Outage Indicator
    • Stationery ordering +
    • How do I understand my invoice? +
  • Products +
    • Point of Sale Help +
      • Quick Start Guide Miura M10 Device +
      • Quickstart Guide Miura M20 Device +
    • Ecommerce Help +
      • Transaction management +
      • Customer management +
      • Fraud Management +
      • Resetting your password +
      • Virtual Terminal +
      • Ecommerce portal navigation +
      • User Management +
      • Transaction reporting +
      • Ecommerce FAQs +
    • Bank Payment +
      • Bank Payment FAQs +
      • Bank Payment sales sheet +
  1. Home
  2. Account
  3. Compliance & Security
  4. SCA
  5. What Do I Need to Do to Be SCA Compliant?
Last updated 01/30/2023
2 Min Read Time

What Do I Need to Do to Be SCA Compliant?

In January 2018, the second Payment Services Directive (PSD2) came into force. This was introduced to increase consumer protection, improve payment security and prevent fraud. From 14 March 2022, Having 3DS V.2 will make your business SCA compliant. If you don’t yet have this, speak to your payment gateway provider.


What’s Strong Customer Authentication (SCA)?

All electronic payments, whether face to face or remote, require SCA. This means a customer must authenticate their payment using at least two independent factors:

Possession – something only you have.

For example, your mobile device registered with your issuing bank or a hardware token that has been issued to you.

Inherence – something only you are.

For example, your fingerprint, iris scan or other form of biometric that can uniquely identify you.

Knowledge – something only you know.

For example, a unique passphrase or identification number this is known only to you.

FIXLINKS here Further information on PSD2 and SCA can be found within our Blog section. You’ll find our whitepaper called ‘The changing face of card payments’ and our blog called ‘Payment Services Directive 2 (PSD2)' there.


Does SCA apply to all transactions?

  • Chip and PIN transactions already adhere to SCA
  • Contactless payments are exempt, however, a new decline code is being introduced that will ask the cardholder to complete a chip and PIN transaction if extra security is required (see the Face to Face Transactions section)
  • Unattended parking and transport terminals are exempt
  • All other unattended devices are required to support chip and PIN
  • Mail Order and Telephone Order (MOTO) transactions, Recurring Transactions and Merchant Initiated Transactions (Stored Credential Transactions, also known as Credential on File Transactions), are out of scope for SCA but need to be flagged correctly (see the MOTO and Merchant Initiated Transaction section)
  • Ecommerce transactions require SCA (see the Ecommerce Transaction section)
  • Anonymous transactions (pre-paid cards) - not subject to the SCA mandate
  • International transactions – it may not be possible for UK-based customers to apply SCA to transactions when the card issuer isn’t located in the European Economic Area (EEA), but you should still attempt SCA for all transactions

How’s my business affected by SCA?

The changes you need to make for SCA depend on the type of transactions you process. Please refer to the following sections to see what you need to do.

  1. Chip and PIN transactions already comply with the SCA requirement for two factor authentication. Your customer is in possession of their card and know their PIN.
  2. Transactions made using a mobile device, like a mobile phone also comply with SCA as the customer is in possession of their phone, and use a fingerprint to uniquely identify themselves.
  3. Contactless transactions don’t fulfil the requirement for two factor authentication but are exempt from the SCA requirement. However, additional security requirements may be requested by the card issuer. A new decline code is being introduced that will ask the cardholder to complete a chip and PIN transaction where that extra security is required.

What do I need to do?

If you rent your terminal from us, we’ll make the changes for you. Just ensure that you and your staff understand what’s happening and be ready to reassure cardholders that there’s no problem with their card or their account, just that it’s an extra security check requested by their card issuer.

If you own or rent your terminal from another source, contact them immediately to discuss the decline code changes needed for the step up from a Contactless to chip and PIN transaction. Details of the technical requirements for SCA can be found in our PSD2 and Strong Customer Authentication Technical Implementation Guide.

MOTO and Merchant Initiated Transactions

  1. While MOTO and Merchant Initiated Transactions (Stored Credential Transactions, also known as Credential on File Transactions, where card details are stored for future use), are out of scope for SCA, if the card issuer doesn’t know they’re one of these kinds of transactions, they may request SCA. If the cardholder is unable to provide the necessary authentication, the transaction will be declined.

What do I need to do?

It’s critical that all transactions are flagged correctly.

If you rent your terminal from us or use our E-Commerce Platform, we’ve made all the necessary changes to ensure transactions contain the correct flags.

If you own or rent your terminal from another source or use a third party provider for your ecommerce service, contact them immediately to ensure your transactions are flagged correctly.

Further information on Stored Credential Transactions and details of their technical requirements can be found on our website within our Customer Centre under the Stored Credential Transactions tile. They’ll also need to apply the technical requirements, which can be found in our PSD2 and Strong Customer Authentication Technical Implementation Guide.

Ecommerce Transactions

  1. Payments made via a website require SCA. These transactions must now support 3D Secure, which is the ecommerce authentication protocol by the Card Schemes, such as Mastercard and Visa. This allows the cardholder to authenticate themselves as the genuine holder of the card. Under PSD2, card issuers are obliged to challenge and potentially decline transactions that don’t comply.

A new version of 3D Secure (3D Secure 2 – 3DS2) has been introduced to comply with new regulations and provide a better customer experience, more security for your business and a frictionless payment experience. Read our blog called ‘3D Secure 2 – A Beginner’s Guide’.

What do I need to do?

If you use our Global Payments E-Commerce Platform (previously Realex Payments), this currently supports 3DS V.2. You should have already received communications from us about the changes you need to make to comply with the new SCA requirements. If you’ve any questions about the changes or would like more information on our E-Commerce Platform, please email ecomsupport@globalpay.com.

If you use a third party provider for your ecommerce services, you need to review the way in which you accept card payments. Please speak to your solution provider to make sure your solution is up to date with all the flagging requirements and that they’re making changes for the SCA mandate. Our 3DS V.2 solution may be used alongside your existing gateway solution, if required. You can contact us on the email above for help with this.

Details of the technical requirements for SCA can be found in our PSD2 and Strong Customer Authentication Technical Implementation Guide.


Ready to Get Started?

  1. Remember, these changes are being made to increase consumer protection, improve payment security and prevent fraud, which will benefit your business
  2. Read the information we’ve provided on our website to help understand what the SCA requirements are
  3. If you own or rent your terminal from another source or use a third party provider for your ecommerce service, contact them immediately to ensure they’re making the necessary changes and share our technical docs with them

We know that these changes can be confusing, so there are answers to some questions we think you may have in our FAQs. We also have a SCA Decision Tree.

Take a look at these and if you have any other questions, or you want to talk to someone about how SCA affects your business, please call your Relationship Manager or our helpdesk on 0345 702 3344*, selecting the option for ‘all other enquiries’.

*Lines are open between 9am - 6pm Monday to Friday, excluding public holidays. If you have a speech or hearing impairment, you can call us using the Relay Service by dialling 18001 followed by 0345 702 3344*. To help us continually improve on our service and in the interests of security, we may monitor and/or record your telephone calls with us. Any recordings remain our sole property.


  • Account
  • Products
  • Customer Docs & Pricing
  • Compliance & Security
  • Industry news
  • Trending articles
  • Notices and Policies
  • Sitemap

Already a customer?

Log in

Connect

  • LinkedIn
  • Twitter
  • Facebook
  • YouTube
{D6036E8F-C9A1-420D-AEC3-5680EC9FBE35}
 

Global Payments is a trading name of GPUK LLP. GPUK LLP is authorised by the Financial Conduct Authority under the Payment Services Regulations 2017 (504290) for the provision of payment services and under the Consumer Credit Act (714439) for the undertaking of terminal rental agreements. GPUK LLP is a limited liability partnership registered in England with company number OC337146. Registered Office: Granite House, Granite Way, Syston, Leicester, LE7 1PL. The members are Global Payments U.K. Limited and Global Payments U.K. 2 Limited. Service of any documents relating to the business will be effective if served at the Registered Office.

Global Payments is also a trading name of Pay and Shop Limited. Pay and Shop Limited is a limited company registered in Ireland with company number 324929. Registered Office: The Observatory, 7-11 Sir John Rogerson's Quay, Dublin 2, Ireland. Service of any documents relating to the business will be effective if served at the Registered Office.

© 2023 GPUK LLP. All rights reserved. Privacy Statement | Terms of Use  | Ethics Reporting Hotline | Gender Pay Report  | Anti Slavery Statement